Essential Eight Baseline
Canonical reference. Audience-neutral. The security-maturity anchor referenced from every audience's Strategy and Tactical tiers.
The Essential Eight is a set of eight baseline mitigation strategies published by the Australian Signals Directorate (ASD) through the Australian Cyber Security Centre (ACSC). It's the de facto security baseline for Australian organisations — and because it's measurable, it doubles as a shared language between technicians, management, and boards.
Note — Currency
The Essential Eight Maturity Model is maintained by the ACSC and updated periodically (most recently a significant revision in November 2023). Always work from the current version at cyber.gov.au. The summary below is an orientation, not a substitute for the official model.
The eight mitigation strategies
- Application control — allow only approved applications to execute, preventing malicious code from running.
- Patch applications — keep applications current; remediate vulnerabilities quickly. (See Patch Management.)
- Configure Microsoft Office macro settings — block macros from the internet and limit their use, closing a common malware vector.
- User application hardening — harden browsers and applications (e.g. block Flash, ads, and Java where unnecessary) to reduce attack surface.
- Restrict administrative privileges — limit and control admin rights so a compromised account does less damage. (See MFA & Entra ID Hardening.)
- Patch operating systems — keep operating systems current and replace end-of-life systems. (See Patch Management.)
- Multi-factor authentication — verify identity with more than a password. (See MFA & Entra ID Hardening.)
- Regular backups — maintain and test backups so you can recover from an incident. (See Backup & Disaster Recovery.)
The maturity model
The model defines four maturity levels, and an organisation's maturity is assessed across all eight strategies together:
- Maturity Level Zero — not aligned with the intent of the strategy; meaningful weaknesses exist.
- Maturity Level One — basic protection against opportunistic, unsophisticated attacks.
- Maturity Level Two — protection against more capable adversaries using better tools and techniques.
- Maturity Level Three — protection against adaptive, highly capable, targeted adversaries.
The ACSC recommends implementing all eight strategies to the same maturity level before moving the whole set up — uneven implementation leaves exploitable gaps. Choose a target level proportionate to your threat profile and risk appetite.
How to use this baseline
- Business Owners — treat your Essential Eight maturity as a board-level metric: pick a target level, fund the gap as a project, and report on it. (See Business Owners — Strategy and Tactical.)
- MSPs — productise Essential Eight uplift as a defined, repeatable offering. (See MSP — Strategy.)
- Internal IT — run it as an internal program with an owner, a roadmap, and ongoing reporting. (See Internal IT — Strategy.)
The other pages in this library are the concrete implementations of individual strategies. This page is the map that ties them together.